Looks OK, thanks! I have one suggestion on F59511080, but it is non-blocking - feel free to move forward.

In T392341#10776000, @mszabo wrote:

Looks OK, thanks! I have one suggestion on F59511080, but it is non-blocking - feel free to move forward.

@Mstyles if this is enough, can we deploy these patches?

Ah I'm sorry I haven't quite made these patches correctly. Let me fix them so they're deployable and post an update when I've done that.

These should now have the appropriate commit message and be ready for deploy.

01-T392341:

• ArchivePage.php/UnarchivePage.php have a hardcoded error message, but that's expected in a Security patch
  • Don't refer to it as a security token - see what we do elsewhere for token mismatch. Ideally have the message to be what it will be when i18n-ified
• Do we need a specific archive token salt? If so, it really needs "exposing" via a https://doc.wikimedia.org/mediawiki-core/master/php/interfaceMediaWiki_1_1Api_1_1Hook_1_1ApiQueryTokensRegisterTypesHook.html handler as per https://gerrit.wikimedia.org/g/mediawiki/core/+/439a2fafc84c9431a46c8c528ed936e80d85cc0e/includes/api/ApiQueryTokens.php#78 - If there is no good reason, can we just use csrf/the default?
• ArchivedPager.php - Similar, why are we doing getToken( $subpage )? Does this need to be so variable (never mind the exposing)?

02-T392341:

• Looks fine

03-T392341

• Same again about the token salts
• Same again for the error message

04-T392341

• Docs for SetTranslationHandler::__construct will need updating (or probably remove it) because it's now out of date

05-T392341

• Looks fine too

• Updated the message to refer to a session instead of the token (other places also refer to it as a permissions issue but session felt more accurate)
• I don't think it needs to be a specific salt but maybe someone who knows more has a different opinion? For now I've removed the un/archive salt.

• Resolved message/salt as above

• Removed constructor docs

@STran are these patches ready for deployment? I would like to make sure they get out sooner than later.

I think votewiki is fairly locked down so @jrbs may be the best person to ask. I have an account there and could probably run these steps myself if someone wants to assign me the rights.

01-T392341

• Confirm that if you don't pass a token through in the URL, you can't archive an election
• Confirm that if pass a token through in the URL, you can archive an election

02-T392341

• Make a new STV poll with one of the options being <script>alert("XSS")</script>
• Confirm that when you view the ongoing election, an alert doesn't pop up

(and for whenever the other patches go in)

03-T392341

• Add a voter eligibility list (You can take this action on ended elections)
• Confirm that if you don't pass a token through in the URL, you can't clear the list
• Confirm that if pass a token through in the URL, you can clear the list

04-T392341
(This may not be possible to test since I'm not sure we've enabled the config yet)

• Confirm that you can't use the translate feature if you're not an election admin

05-T392341
(This may not be possible to test since I'm not sure we've enabled the config yet)

• Create a page, foo/ style='animation: oo-ui-pendingElement-stripes' onanimationstart='location="duckduckgo.com"'
• From the /translate page of a poll, try to use the "Import translations" feature and enter 'foo' as the URL and submit
• Confirm that the list of pages pulled contains the payload page but that you are not redirected

In T392341#10794341, @STran wrote:

I think votewiki is fairly locked down so @jrbs may be the best person to ask. I have an account there and could probably run these steps myself if someone wants to assign me the rights.

01-T392341

• Confirm that if you don't pass a token through in the URL, you can't archive an election
• Confirm that if pass a token through in the URL, you can archive an election

02-T392341

• Make a new STV poll with one of the options being <script>alert("XSS")</script>
• Confirm that when you view the ongoing election, an alert doesn't pop up

(and for whenever the other patches go in)

03-T392341

• Add a voter eligibility list (You can take this action on ended elections)
• Confirm that if you don't pass a token through in the URL, you can't clear the list
• Confirm that if pass a token through in the URL, you can clear the list

04-T392341
(This may not be possible to test since I'm not sure we've enabled the config yet)

• Confirm that you can't use the translate feature if you're not an election admin

05-T392341
(This may not be possible to test since I'm not sure we've enabled the config yet)

• Create a page, foo/ style='animation: oo-ui-pendingElement-stripes' onanimationstart='location="duckduckgo.com"'
• From the /translate page of a poll, try to use the "Import translations" feature and enter 'foo' as the URL and submit
• Confirm that the list of pages pulled contains the payload page but that you are not redirected

Thanks for compiling this and sorry for my delay in responding! I have provided you the relevant rights on votewiki if you want to test these yourself in production.

@STran - per @jrbs' rights-granting above, would you be available to help test the rest of the security patches during next Monday's security deployment window?

I've run through the QA steps as stated above:

01-T392341

• Confirmed you need a valid token to archive an election
• Confirmed you need a valid token to unarchive an election

02-T392341
I was trying to test this as it seems like Securepoll is currently broken. I've just filed T393790: SecurePoll can no longer add questions to new polls.

Is it possible to deploy 03-T392341 for QA independently of 04-T392341 and 05-T392341? 04/05 depend on a configuration option that I'm not sure has been enabled on production servers yet. I'm wondering if we could take some of this through the non-security flow and fix it as part of enabling the feature? Or should we enable the feature first, confirm it's broken, and fix it as part of the security workflow?

@sbassett oh you also just posted. Yes I can be available at that time but only 01-T392341 and 03-T392341 are testable as 02/04/05 all rely on features that are currently broken.

In T392341#10807744, @STran wrote:

@sbassett oh you also just posted. Yes I can be available at that time but only 01-T392341 and 03-T392341 are testable as 02/04/05 all rely on features that are currently broken.

Ok, sounds good. 01 and 02 are already deployed, so I suppose you could test those whenever, now that you have votewiki perms. We can deploy 03 during this coming Monday's security deployment window and test at that time. And we can do whatever we need to, in order to accommodate 04 and 05, if those are dependent upon a config patch or whatever.

@sbassett I've already tested 01 and confirmed it's behaving as expected. I can't test 02 until the fix for for T393790 is in (this can be backported if necessary, I'm doublechecking now). 03 can be tested when it's deployed in the next security deployment window. As for 04 and 05. I think we have 2 options:

1. Deploy config, then 04/05. We need to set $wgSecurePollTranslationImportSourceUrl to https://meta.wikimedia.org/w/api.php which @jrbs has mentioned is where translations for elections happen. I've looked and confirmed that there are translations we can test against (examples). This has the benefit of allowing no lapse in vulnerability availability and the fix, as the API fix and the permission check are bundled together in 04. We'd roll back the config change when Ibdbe436331dbac847cf5a224baee8eb3bc6e9bb4 goes out.

2. Work around Ibdbe436331dbac847cf5a224baee8eb3bc6e9bb4. This work was done to resolve T387720: Prefer a parameter over a configuration for importing translations in SecurePoll and I think can be merged sooner rather than later. I think ideally 04 would go in first, which is the permission check and incidentally fixes the API call, then this patch which makes it easier to test the feature. However, this seems like it could cause us a few headaches between managing versions, rebases, conflicts, etc.

I backported T393790 this morning, tested 02, and confirmed it worked as expected. Next steps for 03, 04, and 05 are outlined as above.

In T392341#10811903, @STran wrote:

I backported T393790 this morning, tested 02, and confirmed it worked as expected. Next steps for 03, 04, and 05 are outlined as above.

Ok, thanks for the backporting and testing for 02. I'll plan to deploy patch 03 today and let you test when you can.

And then it sounds like we should work to get Ibdbe43633 merged so we can deploy and easily test 04 and 05?

After coordinating with @STran, I've deployed patches 03, 04 and 05 (SAL). Error rates seem fine. @STran will now test patch 03 and once Ibdbe43633 is merged and rolls out with wmf.29 this week, they will be able to test and confirm patches 04 and 05 (which are basically just noops in production for the time being).

Tested 03 on votewiki and confirmed that the voter eligibility clear list link now passes along a token and that token is required to perform the action.

Thanks for everyone's work on this. Sounds like 1-3 are done and we are waiting on 4-5. Are 4-5 blockers for T378287: Enable SecurePoll extension and electionclerk user group on enwiki, or are those "minor" enough that T378287 can proceed?

I'd like to wait for 4 and 5 as an unprotected open translation interface seems kind of bad, doubly so since afaik we don't log changes to translations. The fix should roll out with an update that re-enables the feature (feature is on the main branch, security patches are being merged in as necessary) with this train, assuming no train blockers.

We'll need to update patch #4 due to T394900.

New 04 patch

In addition to the updated 04 patch, QA needs to wait on I1b4fbcabbca7cc5475c7bbd429cb8ab068bc4ee3 to be backported, which I've scheduled for the upcoming window.

Backported but now blocked on the php fatal error

In T392341#10843834, @STran wrote:

New 04 patch

04-T392341.patch3 KBDownload

Updated patch is now deployed to 1.45-wmf.2.

Confirmed that:

04

• I cannot access the translation endpoint of an election I'm not an admin for

05

• A translation page with an XSS payload is not triggered when I attempt to import it via the import dialog

Change #1149618 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1149618

Change #1149655 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Sanitize displayed STV option text

https://gerrit.wikimedia.org/r/1149655

Change #1149664 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1149664

Change #1149668 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Gate access to SetTranslationHandler

https://gerrit.wikimedia.org/r/1149668

Change #1149669 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Escape links generated by the translation import results tab

https://gerrit.wikimedia.org/r/1149669

Change #1149655 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Sanitize displayed STV option text

https://gerrit.wikimedia.org/r/1149655

Change #1149618 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1149618

Change #1149668 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Gate access to SetTranslationHandler

https://gerrit.wikimedia.org/r/1149668

Change #1149664 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1149664

Ran scap remove-patch for the first 4 patches, which were merged in gerrit: https://sal.toolforge.org/log/bx7M_5YBffdvpiTrqZR4

Change #1149669 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Escape links generated by the translation import results tab

https://gerrit.wikimedia.org/r/1149669

In T392341#10860157, @gerritbot wrote:

Change #1149669 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Escape links generated by the translation import results tab

https://gerrit.wikimedia.org/r/1149669

So this should now get cut for 1.45.0-wmf.4 next week, and we'll be able to remove it from deployment. Maybe I can do that on Thursday or Friday before @SecurityPatchBot sets this as a UBN over the weekend :)

It looks like the last remaining security patches will ride the train on Thursday. Is there a manual testing step after these ride the train, or can we close this ticket on Thursday? Also, will T378287: Enable SecurePoll extension and electionclerk user group on enwiki become unblocked on Thursday?

In T392341#10880971, @Novem_Linguae wrote:

It looks like the last remaining security tickets will ride the train on Thursday.

Correct.

Is there a manual testing step after these ride the train, or can we close this ticket on Thursday?

There shouldn't need to be as the patches were tested by @STran when we deployed them initially (04 and 05 mentioned in T392341#10844541)

Also, will T378287: Enable SecurePoll extension and electionclerk user group on enwiki become unblocked on Thursday?

It should, yes, if this was the only task blocking it.

Change #1165927 had a related patch set uploaded (by Mmartorana; author: STran):

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1165927

Change #1165927 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1165927

Change #1166900 had a related patch set uploaded (by Dreamy Jazz; author: STran):

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1166900

Change #1166900 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1166900